So I am very interested in password encryption. I have created the below script and wanted some feedback as to see if it is a legitimate way to verify/secure a password, or if it simply isn't helping any. Any feedback is welcome:
$pass = "Test!234";
$salt = crypt($pass);
$enc_pass = crypt($pass . $salt);
if(crypt($pass . $salt, $enc_pass) == $enc_pass){
echo "Success!";
}
else{
echo "Fail!";
}
your mechanism is not really following best practices of using crypt
PHP crypt has a particular way of generating salts, and also of putting itself into different modes. You have to know a lot of specifics about how the algorithms are specified to ensure you get an actually secure one.
A better method to use is password_hash, which makes it easier to specify your hashing algorithm. Make sure to use PASSWORD_BCRYPT, a high cost factor, and a randomly generated salt.
Additionally, no matter what algorithm you use, you should be certain to use a unique, random salt for each user. If you use the password as the salt, you lose the value of the salt (since an attacker can easily generate a rainbow table or do reverse lookups very easily with that scheme). With a randomly generated salt of sufficient length (greater than 128 bits), an attacker cannot easily brute force your password hashes, and each password hash must be brute forced individually, even if users use the same password.